Successful and failed login details

Is it possible to get successful and failed login details for HTTP/FTP/SSH connections using Bro IDS ? Also can it identify which user is trying to do the connections, in addition to the IP address of the machine ?


Vikram Basu

It is possible, but at the moment you will need to do it in a less-than-pleasant way. You would do it by finding the events for each of the relevant protocols where the data is available. I’ve been hoping to find some time to get a version of the long discussed “authentication framework” into 2.6. Once that’s available you would be able to access authentication information directly through there as an abstraction.